IPA: allow initgroups by UUID for FreeIPA users

If a FreeIPA user is searched with the help of an override name the UUID
from the override anchor is used to search the user. Currently the
initgroups request only allows searches by SID or name. With this patch
a UUID can be used as well.

Related to https://fedorahosted.org/sssd/ticket/2642

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

3 files changed, 20 insertions, 15 deletions

diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c
index d65bd5f6a..997313bec 100644
--- a/src/providers/ldap/ldap_id.c
+++ b/src/providers/ldap/ldap_id.c
@@ -965,6 +965,7 @@ struct groups_by_user_state {
     struct sss_domain_info *domain;
 
     const char *name;
+    int name_type;
     const char *extra_value;
     const char **attrs;
 
@@ -983,6 +984,7 @@ static struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx,
                                               struct sdap_domain *sdom,
                                               struct sdap_id_conn_ctx *conn,
                                               const char *name,
+                                              int name_type,
                                               const char *extra_value,
                                               bool noexist_delete)
 {
@@ -1008,6 +1010,7 @@ static struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx,
     }
 
     state->name = name;
+    state->name_type = name_type;
     state->extra_value = extra_value;
     state->domain = sdom->dom;
     state->sysdb = sdom->dom->sysdb;
@@ -1070,6 +1073,7 @@ static void groups_by_user_connect_done(struct tevent_req *subreq)
                                   state->ctx,
                                   state->conn,
                                   state->name,
+                                  state->name_type,
                                   state->extra_value,
                                   state->attrs);
     if (!subreq) {
@@ -1393,7 +1397,8 @@ sdap_handle_acct_req_send(TALLOC_CTX *mem_ctx,
 
     case BE_REQ_INITGROUPS: /* init groups for user */
         if (ar->filter_type != BE_FILTER_NAME
-                && ar->filter_type != BE_FILTER_SECID) {
+                && ar->filter_type != BE_FILTER_SECID
+                && ar->filter_type != BE_FILTER_UUID) {
             ret = EINVAL;
             state->err = "Invalid filter type";
             goto done;
@@ -1403,21 +1408,12 @@ sdap_handle_acct_req_send(TALLOC_CTX *mem_ctx,
             state->err = "Invalid attr type";
             goto done;
         }
-        if (ar->filter_type == BE_FILTER_SECID && ar->extra_value != NULL
-                && strcmp(ar->extra_value, EXTRA_NAME_IS_SID) != 0) {
-            DEBUG(SSSDBG_OP_FAILURE,
-                  "Unexpected extra value [%s] for BE_FILTER_SECID.\n",
-                  ar->extra_value);
-            ret = EINVAL;
-            state->err = "Invalid extra value";
-            goto done;
-        }
 
         subreq = groups_by_user_send(state, be_ctx->ev, id_ctx,
                                      sdom, conn,
                                      ar->filter_value,
-                                     (ar->filter_type == BE_FILTER_SECID)
-                                        ? EXTRA_NAME_IS_SID : ar->extra_value,
+                                     ar->filter_type,
+                                     ar->extra_value,
                                      noexist_delete);
         break;
 
diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h
index 29afd8e1a..f2ea9bf2e 100644
--- a/src/providers/ldap/sdap_async.h
+++ b/src/providers/ldap/sdap_async.h
@@ -136,6 +136,7 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
                                         struct sdap_id_ctx *id_ctx,
                                         struct sdap_id_conn_ctx *conn,
                                         const char *name,
+                                        int name_type,
                                         const char *extra_value,
                                         const char **grp_attrs);
 int sdap_get_initgr_recv(struct tevent_req *req);
diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c
index 5c5be5eab..4f775d76b 100644
--- a/src/providers/ldap/sdap_async_initgroups.c
+++ b/src/providers/ldap/sdap_async_initgroups.c
@@ -2667,6 +2667,7 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
                                         struct sdap_id_ctx *id_ctx,
                                         struct sdap_id_conn_ctx *conn,
                                         const char *name,
+                                        int name_type,
                                         const char *extra_value,
                                         const char **grp_attrs)
 {
@@ -2716,10 +2717,17 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
 
     if (extra_value && strcmp(extra_value, EXTRA_NAME_IS_UPN) == 0) {
         search_attr =  state->opts->user_map[SDAP_AT_USER_PRINC].name;
-    } else if (extra_value && strcmp(extra_value, EXTRA_NAME_IS_SID) == 0) {
-        search_attr =  state->opts->user_map[SDAP_AT_USER_OBJECTSID].name;
     } else {
-        search_attr =  state->opts->user_map[SDAP_AT_USER_NAME].name;
+        switch (name_type) {
+        case BE_FILTER_SECID:
+            search_attr =  state->opts->user_map[SDAP_AT_USER_OBJECTSID].name;
+            break;
+        case BE_FILTER_UUID:
+            search_attr =  state->opts->user_map[SDAP_AT_USER_UUID].name;
+            break;
+        default:
+            search_attr =  state->opts->user_map[SDAP_AT_USER_NAME].name;
+        }
     }
 
     state->user_base_filter =